3.9.2 has a weight of -5 points
(Personnel Security Family) 2/2
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control 3.9.2
Control Identifier: 3.9.2
Control Title: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Control Description: This control focuses on safeguarding Controlled Unclassified Information (CUI) during and after personnel actions such as terminations and transfers. The organization ensures that thorough out-processing steps are taken to prevent departing employees from having unauthorized access to CUI. This includes HR notifications, disabling system accounts, collecting system-related property, conducting exit interviews, and updating security systems as necessary.
Current Implementation:
-
The organization has established a comprehensive process for protecting CUI during and after personnel actions. The process involves collaboration between various departments, including HR, Facility Security Officer (FSO), Equipment Custodian, and other company representatives.
-
Key aspects of the current implementation include HR notifications, immediate termination of system access, password resets, updating physical security systems, and escorting departing employees out of the building.
-
All access, including computer systems and physical building access, is promptly removed upon personnel actions, such as terminations. Departing employees are escorted out of the building, and personal items are collected by security officers and managers.
-
Notably, departing individuals are not permitted to clean out their computer systems, mobile devices, or offices. All these tasks are carried out by authorized staff members to ensure the security and integrity of CUI.
-
The procedures and policies governing these actions are documented in the organization’s Employee Handbook, ensuring that all employees are aware of the strict security protocols in place during personnel actions.
Protection of CUI During Personnel Actions:
- The organization recognizes the importance of protecting CUI during personnel actions, including terminations and transfers. This includes returning system-related property, conducting exit interviews, and reminding departing individuals of nondisclosure agreements.
Example of Plan of Action and Milestones ( POA & M):
POA&M (Plan of Action and Milestones):
1. Review of Exit Procedures:
-
Description: Review and update exit procedures to ensure that they align with the current requirements for protecting CUI during and after personnel actions, emphasizing the role of authorized staff in cleaning out personal items.
-
Responsible Party: HR Department
-
Target Completion Date: MM/DD/YYYY
2. Documentation Update:
-
Description: Update documentation, including the SSP and Employee Handbook, to reflect the organization’s commitment to protecting CUI during personnel actions and the specific procedures for securing personal items.
-
Responsible Party: IT Documentation Team
-
Target Completion Date: MM/DD/YYYY
3. Employee Training:
-
Description: Provide training to employees, especially those in HR and management roles, regarding the importance of protecting CUI during personnel actions and the specific procedures outlined in the Employee Handbook.
-
Responsible Party: Training and Development Team
-
Target Completion Date: MM/DD/YYYY
4. Exit Interview Process:
-
Description: Review and enhance the exit interview process to ensure that departing employees understand security constraints, including the prohibition of self-cleaning, and the return of system-related property.
-
Responsible Party: HR Department
-
Target Completion Date: MM/DD/YYYY
5. Physical Security Updates:
-
Description: Ensure that physical security systems are promptly updated to reflect changes in access permissions and building security requirements during personnel actions.
-
Responsible Party: Facility Management Team
-
Target Completion Date: MM/DD/YYYY
6. Continuous Monitoring:
-
Description: Implement a continuous monitoring process to track compliance with CUI protection during personnel actions, including the strict adherence to procedures regarding personal item collection as outlined in the Employee Handbook.
-
Responsible Party: IT Security Team
-
Target Completion Date: Ongoing
Completion Criteria: Each POA&M item should be completed as per the target completion date. The responsible parties should ensure that the control is effectively implemented and continuously monitored.
Review and Reporting: The organization’s IT Security Team will provide regular progress updates and reports to the senior management team regarding the status of the POA&M items and the overall effectiveness of the control.
Signature: [Authorized Official]
Date: MM/DD/YYYY
Termination and Personnel Actions Policy:
Termination and Personnel Actions Policy
1. Introduction
At [Your Company Name], we are dedicated to safeguarding Controlled Unclassified Information (CUI) and maintaining the highest level of security during personnel actions, including terminations and transfers. This policy outlines our procedures and protocols to ensure the protection of CUI and the security of our systems and facilities during and after such actions.
2. Responsibilities
- Human Resources (HR): HR will promptly initiate personnel actions and notify relevant departments, including the Facility Security Officer (FSO), IT, Equipment Custodian, and other company representatives, as necessary.
- Facility Security Officer (FSO): The FSO will oversee the implementation of security measures during personnel actions and ensure compliance with relevant security protocols.
- IT Department: IT will immediately terminate system access, reset passwords, and update physical security systems as needed.
- Security Officers and Managers: Authorized security officers and managers will escort departing employees out of the building and collect system-related property.
3. Protection of CUI During Personnel Actions
3.1 HR Notifications
Upon initiation of a personnel action, such as termination or transfer, HR will promptly notify the relevant departments to initiate the security procedures.
3.2 Immediate Termination of System Access
To prevent unauthorized access to CUI, IT will immediately terminate system access for departing employees, including disabling user accounts and resetting passwords.
3.3 Updating Physical Security Systems
Physical security systems will be updated to reflect the change in personnel status, ensuring that access to our facilities is controlled and restricted as needed.
3.4 Escorting Departing Employees
Upon personnel actions, such as terminations, departing employees will be escorted out of the building by authorized personnel to prevent unauthorized re-entry.
3.5 Collection of System-Related Property
To maintain the security and integrity of CUI, departing individuals are not permitted to clean out their computer systems, mobile devices, or offices. Authorized staff members will handle the collection of system-related property, including hardware and storage devices.
3.6 Exit Interviews
Exit interviews will be conducted with departing employees to discuss nondisclosure agreements, security obligations, and to collect any company property in their possession.
3.7 Return of Company Property
Departing employees must promptly return all company property, including computer systems, mobile devices, access badges, keys, and any other items issued to them.
3.8 Access Revocation
Access to all company systems, including computer accounts, email, and building access, will be revoked immediately upon the initiation of personnel actions.
3.9 Confidentiality Obligations
Departing employees are reminded of their confidentiality obligations and the importance of not disclosing sensitive information, even after their departure.
3.10 Contacting HR for Terminations
For terminations, the firing manager is required to immediately contact HR, who will then initiate the necessary security measures. HR will subsequently contact IT and the Facility Security Officer (FSO) to ensure the prompt implementation of security protocols.
3.11 Retrieval and Inventory of Personal Devices
Personal devices and physical access devices issued by the company will be retrieved and checked against inventory records to ensure all assets are accounted for during personnel actions.
4. Reporting Suspicious Activity
Employees are encouraged to report any suspicious or concerning behavior related to personnel actions. A clear process for reporting such incidents, including contact information for relevant security personnel, is provided.
5. Legal and Regulatory Compliance
This policy complies with all applicable federal and state laws, regulations, and industry standards related to personnel actions, data protection, and security.
6. Communication
Departing employees will be informed of security protocols and procedures during personnel actions through written notices and verbal communication.
7. Training
Personnel actions and security protocols are incorporated into our employee training programs to ensure that all employees are aware of the policy and receive training on their responsibilities during personnel changes.
8. Review and Updates
This policy will be reviewed regularly to assess its effectiveness and to make adjustments based on lessons learned and changes in regulations or technology.
9. Non-Retaliation Clause
Employees who report security concerns or violations related to personnel actions will not face retaliation or adverse employment actions for doing so.
10. Conclusion
At [Your Company Name], we take the protection of CUI seriously. Our Termination and Personnel Actions Policy is designed to ensure that CUI remains secure and confidential during and after personnel changes. We appreciate the cooperation of all employees in upholding these security measures and maintaining the trust of our clients and partners
RELEVANT INFORMATION:
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of
supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.